The consumer lending industry bases its decisions to grant credit or make loans, or to give consumers preferred credit or loan terms, on the general principle of risk, i.e., risk of foreclosure. Credit and lending institutions typically avoid granting credit or loans to high risk consumers, or may grant credit or lending to such consumers at higher interest rates or other terms less favorable than those typically granted to consumers with low risk. As a means to quantify risk and allow for relative comparison between individual consumers, lenders use a credit score. A credit score is a numerical approximation of risk associated with an individual consumer and is generated based on that consumer's credit history. Credit bureaus have evolved to generate various types of credit scores based on respective proprietary processing of underlying credit information and other data related to an individual. These credit scores are marketed under various trade names, such as True Credit® by TransUnion, VantageScoreSM by VantageScore Solutions LLC, FICO® by Fair Isaac Corporation, etc., and are all intended to provide the best possible risk indicator for a particular individual. Among other things, the credit bureaus assess the credit history of individual consumers, process and maintain credit scores, and present credit score to lenders upon request.
As the credit score represents a consumer's ability to obtain and maintain credit, it is important for consumers to monitor their score. While the credit score is typically a product of the consumer's activities, it is possible that the activities of others, whether through fraud or through unknown but authorized use, may affect the credit score as well. In such cases, a consumer may be able to correct harm, or at least prevent further harm, to their credit file if such activities are identified through the monitoring process and addressed in a timely manner. If unintended activities are not identified by a consumer and rectified in a timely manner, severe damage to that consumer's credit score can occur, which may significantly impair that consumer's ability to obtain credit or a loan.
Due to the increasing importance of monitoring credit files, systems have been developed to help consumers with the process. Such systems, for instance, may alert the consumer when certain activity has occurred that will negatively affect their credit score. However, for security reasons, no specific information would generally be relayed. Rather, the consumer, upon receiving an alert, must check his or her credit file manually to determine the validity of the new credit transactions. Other reasons a consumer might need quick access to their credit file may include: to determine how much credit is likely to be available to them; to ascertain their credit score; or to simply check what active accounts are attached to their credit.
The increasing availability of networks such as the Internet, and especially the improved ability to present data in a secure manner through a webpage on the Internet—such as, for example, through application of secure sockets layer (SSL) protocol or Virtual Private Networks (VPNs)—have enabled the development of systems and related services for viewing secure information remotely via a client device or interface, such as a personal computer, laptop or mobile device having internet or network functionality. The Internet in particular provides a powerful and widely accepted medium for such systems due to its ubiquitous nature. A consumer wishing to view his or her credit history may now do so over any device having direct connectivity or indirect access to the Internet, provided that the consumer can be properly authenticated and his or her credit file can be found. In addition, many other sources of private, secure information can be made available through use of the Internet. For example, banks or other financial service entities might make account history available to account holders, insurance companies might make claims or other account information available to their clients, hospitals or other medical care providers might make patient medical records available to their patients, academic institutions might make tuition statements or grades available to their students, the government might make tax history available to tax payers, etc. In essence, any organization that generates or collects private information on individuals might benefit by using the Internet to display or deliver that information directly to those individuals, rather than relying on more costly and time consuming methods of conveying such information.
A first step prior to disclosing any such information, however, is to ensure the individual's identity is properly authenticated. If an organization is careless in granting access or displaying information, at a minimum, the secure nature of the data it stores will be compromised, with the potential of having disastrous consequences and liability resulting therefrom. The utility of the Internet in these security sensitive applications cannot be harnessed if this first step is not properly managed.
The traditional means to perform Internet (“on-line” or “web-based”) verification is by having the website visitor initially set up an account and provide a set of information that, in theory, only the website visitor would know. Many systems rely on nothing more than a username or account number to identify the account and a password to authenticate the website visitor. While this may be effective, passwords provide little security if they are ascertainable by others. In order to make it harder for others to ascertain passwords, password requirements have become more complex. However, this causes people to often forget them. When a password is forgotten, a back-up method of authentication is required. In other cases, such as with consumer credit files, information may be maintained in the absence of a specific account and password. For instance, a credit bureau collects a consumer's credit history regardless of whether he or she has ever contacted the credit bureau to establish a personal account and password. Thus, credit bureaus cannot rely on a consumer having a password, but must authenticate the consumer through other means should they seek access to their credit file.
The method generally used when a password is forgotten, or when such a means of authentication is not suitable, is to ask a website visitor one or more personal questions through the website interface. The answers to these questions are stored within the website visitor's file and have either been previously supplied by the website visitor or consist of certain private data that only the website visitor would likely know. When such questions are presented and answered correctly, system designers can have a higher level of confidence that the website visitor has been properly authenticated.
While this question and answer process is a generally effective primary means of authentication, and an effective secondary means in the case of password failure, it has its limitations. In some cases, there is simply not enough information within the individual website visitor's file to generate proper authentication questions. In other cases, the website visitor may be presented with questions which they need to look up to properly answer, which may not be readily available. Finally, there is the inevitable scenario where, for any number of reasons, an answer supplied does not match the recorded answer within the account.
In addition, the design and architecture of existing systems that use security question based verification of identity require product release and development life cycles to add new questions or tailor questions to a particular type of subject matter. Such programming is controlled by the system provider. This makes the process of evolving security questions slower and more time consuming because the security questions used are coded into software through standard programming languages such that additions and changes can only be done by computer programmers and not business personnel. Accordingly, it would be beneficial to allow business personnel, including, but not limited to, business personnel of an entity employing or using the system as part of their business process, a simple and efficient way to define questions to be asked to a consumer or details about those questions.
The principles of the invention address these and other problems through the application of additional systems and methods for, among other things, identity verification of a user seeking access to confidential information over a network, such as the Internet. These systems and methods can be used as either primary or back-up means to authenticate users of a network, such as website visitors on the Internet, prior to granting access to confidential information, such as, for example, credit file data. These and other aspects of the invention will become readily apparent from the written specification, drawings, and claims provided herein.